@hulumi/policies vulnerability allows bypassing policy packs with forged Pulumi-URN logical name

What Happened

A vulnerability in @hulumi/policies allows developers to bypass policy packs by forging a Pulumi-URN logical name. The bug occurs because policy rules check for a trusted substring in the URN, which can also appear in the developer-controlled logical-name portion.

Who Is Affected

Consumers using @hulumi/policies < 1.4.0, affecting resources such as aws:s3:Bucket, github:Repository, cloudflare:Zone, and cloudflare:DnsRecord.

Severity & Impact

The vulnerability has a severity score of 8.4 (High) and allows raw resources to bypass mandatory hardening checks.

Mitigation

Upgrade to @hulumi/policies@1.4.0, which includes a new shared helper that parses Pulumi URNs structurally and only looks for the trusted parent-type token inside the URN's type-chain segment.

@hulumi/policies vulnerability allows bypassing policy packs with forged Pulumi-URN logical name

What Happened

Who Is Affected

Severity & Impact

Mitigation

Sources

More news posts

GitLab CVE-2026-10733 Vulnerability

PDM Vulnerability Allows Arbitrary Code Execution